Disassoc reason (8) -- DHCP?

Josephny · August 14, 2023, 11:38am

I’ve been struggling with wireless IOT clients (Sonoff and Shelly devices) on a wAP getting disassociated with reason (8).

I’ve read a whole bunch of old threads which led me to looking at the DHCP assignment.

I’m using a Unifi UDM-Pro as the DHCP server, and the wAP is connected to the DHCP server via a pair of Cubes.

I went ahead and set up a DHCP on the wAP to confirm and it looks like the disassocs have been eliminated.

But, now I have 2 DHCP servers (I split the pool of IPs between them).

I tried to set the interface on the wAP’s DHCP server to wifi4 and then learned that a DHCP server can only be assigned a master interface.

It seems all my interfaces on the wAP are slaves. And only the bridge appears to be a master.

I am looking for the simplest way to set this up. I found instructions on getting up a second bridge on the wAP with it’s own DHCP server and a different IP range, but I’d rather find a simpler solution.

I saw in another thread that someone changed their DHCP server options (1, 6, 12) and it fixed it, but I don’t understand how that did it. I can add DHCP options to the UDM-Pro if needed.

Any suggestions?

Thanks!

pe1chl · August 14, 2023, 11:49am

When you bridge two networks via WiFi, it is important that the WiFi link works in 4-address mode.
When you are (forced to) using wifiwave2 this is not possible at the moment, and using a DHCP server at the other end of the link will not work.
(it would be possible to configure an IP link with an EoIP interface on top of it, and use that to bridge the networks)
When you can still use the old “wireless” driver it is possible but you need to configure it correctly (ap-bridge and station-bridge modes)

Josephny · August 14, 2023, 12:00pm

Here’s the wAP’s export (most of it):

/interface bridge
add admin-mac=18:FD:xxxxxx auto-mac=no comment=defconf name=bridge
/interface ethernet
set [ find default-name=ether1 ] mac-address=18:FD:74:5xxxx
set [ find default-name=ether2 ] mac-address=18:FD:74:5xxxxx
/interface wireless
set [ find default-name=wlan1 ] band=2ghz-b/g/n country="united states3" \
    disabled=no disconnect-timeout=15s frequency=auto mode=ap-bridge mtu=1492 \
    name=wlan4 ssid=Chickens
set [ find default-name=wlan2 ] band=5ghz-a/n/ac channel-width=\
    20/40/80mhz-eCee disabled=no frequency=auto mode=ap-bridge name=wlan5 \
    ssid=Chickens-5ghz
add disabled=no mac-address=1A:FD:74:50:0F:CC master-interface=wlan4 mtu=1452 \
    multicast-buffering=disabled name=wlan3 ssid=2point4 wds-cost-range=0 \
    wds-default-cost=0 wps-mode=disabled
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface wireless security-profiles
set [ find default=yes ] authentication-types=wpa2-psk mode=dynamic-keys \
    supplicant-identity=MikroTik
add authentication-types=wpa-psk,wpa2-psk group-key-update=1h mode=\
    dynamic-keys name=wlan1-profile supplicant-identity=MikroTik
/ip pool
add name=192.168.0.241-192.168.0.251 ranges=192.168.0.241-192.168.0.251
/ip dhcp-server
add address-pool=192.168.0.241-192.168.0.251 interface=bridge lease-time=10m \
    name=defconf
/interface bridge port
add bridge=bridge comment=defconf ingress-filtering=no interface=ether2
add bridge=bridge comment=defconf ingress-filtering=no interface=wlan4 learn=\
    yes
add bridge=bridge comment=defconf ingress-filtering=no interface=wlan5
add bridge=bridge ingress-filtering=no interface=ether1
add bridge=bridge ingress-filtering=no interface=wlan3 learn=yes
/ip address
add address=192.168.0.79/24 comment=defconf disabled=yes interface=bridge \
    network=192.168.0.0
add address=192.168.0.80/24 interface=bridge network=192.168.0.0
/ip dhcp-client
add comment=defconf disabled=yes interface=ether1
/ip dns
set max-concurrent-queries=500 max-concurrent-tcp-sessions=100 servers=\
    192.168.0.103
/ip dns static
add address=192.168.0.80 comment=defconf name=wap.router.lan
/ip firewall filter
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
    disabled=yes ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
    disabled=yes ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
    connection-state=established,related disabled=yes hw-offload=yes
add action=accept chain=forward comment=\
    "defconf: accept established,related, untracked" connection-state=\
    established,related,untracked disabled=yes
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid disabled=yes
add action=drop chain=forward comment=\
    "defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
    connection-state=new disabled=yes in-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" disabled=yes \
    ipsec-policy=out,none out-interface-list=WAN
/ip route
add disabled=no dst-address=0.0.0.0/0 gateway=192.168.0.1

pe1chl · August 14, 2023, 12:34pm

The issue is not the wAP’s but the Cubes.

Josephny · August 14, 2023, 1:37pm

Is there a way to make it work with the cubes in place?

Josephny · August 15, 2023, 5:39pm

Still struggling with this.

I tried creating firewall rules on the cubes and the wAP to drop all packets with src or dst ports of 67 or 68 and it seems the dhcp requests and offers still get through.